[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Followup: Syslog

Of all the days, it was on Fri, Apr 13, 2001 at 05:54:07PM -0500 that Kevin van Haaren quoth:
> --On Friday, April 13, 2001 3:40 PM -0700 Micah Anderson <micah@riseup.net> 
> hath wrote:
> | One additional tweak which falls into line with the security setups, that
> | I think is a good idea is to made the log files in /var/log to be chattr
> | +a (append only) so logfiles cannot be modified or removed altogether to
> | cover up tracks. This isn't the the biggest security trick because all it
> | does is make it if you don't know about chattr then you can't install a
> | trojan. If you've got root then removing the immutability flags is
> | trivial, but only if you know how to, or even know they exist. But it has
> | kept the lower-level admins at a site I work at from modifying the
> | logfiles, which is against policy.
> |
> if you want a real way to do this (more than just obscuring what you've 
> done) go get one of those old dot-matrix printers with fanfold paperfeed 
> and dump your logs to it in addition to the one on drive.  Keep it in a 
> secured room.

Another technique is to use a separate logging server which has the
transmit leads on it's ethernet connection snipped.  It's capable of
receiving (via UDP only, since it can't ACK!) log entries, but it's
virtually impossible to start an interactive session remotely to shut
it down or otherwise interfere with it.  It's possible to attack the
server that is sending the log entries to shut down its connection to
the logging server, but this is probably no easier that disabling a
printer on a parallel port (a simple way is to send 10000 formfeeds),
and by the time this can be accomplished, there should already be a
trail of log entries.  Old log entries can be written to multiple CDRs
for archival purposes, with a copy stored in a secure off-site

Reply to: